- From: Anne van Kesteren <notifications@github.com>
- Date: Thu, 21 Mar 2019 09:51:01 -0700
- To: whatwg/url <url@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/url/pull/434/review/217365516@github.com>
annevk commented on this pull request. > - <li><p>Other parts of the <a for=/>URL</a> should have their sequences of - <a>percent-encoded bytes</a> replaced with code points resulting from - <a>percent decoding</a> those sequences converted to bytes, unless that renders those - sequences invisible. +<p>In a space-constrained display, URLs should be elided carefully to avoid misleading the user when +making a security decision: + +<ul> + <li><p>Ensure that at least the <a for=host>registrable domain</a> can be shown when the URL is + rendered (to avoid showing, e.g., <code>...examplecorp.com</code> when loading + <code>https://not-really-examplecorp.com/</code>). + + <li><p>When the full <a for=url>host</a> cannot be rendered, elide domain labels starting from the + front. For example, <code>examplecorp.com.evil.com</code> should be elided as Skimming both a bit I guess strictly speaking this means we need to define something ourselves, as we don't talk about byte-based labels in the URL Standard. https://tools.ietf.org/html/rfc5890#section-2.3.2.1 might have some building blocks, though nothing great. Anyway, this seems like a follow-up. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/url/pull/434#discussion_r267856556
Received on Thursday, 21 March 2019 16:51:25 UTC